The annual RSA conference kicks off today, and our team at VMware is fired up about ongoing developments in the security space. To provide some perspective on VMware’s approach, our CTO Steve Herrod is keynoting today at the Cloud Security Alliance summit. I’d like to give you a glimpse of the commentary he has planned.

Today, IT is in a state of great change that has deep implications for the security community. We can see that data and applications are being accessed in a variety of new ways - SaaS applications are firmly entrenched, mobile applications are a demanding participant in any IT architecture; and simultaneously, existing applications are being housed in virtual containers. Effective support and control of these diverse tools demands an updated approach to IT security.

Two distinct areas require focus in a modern IT security strategy:

the infrastructure that supports your IT assets

access to these assets

Consider the supporting infrastructure

Existing applications and data are being virtualized at a rapid pace. Over 50% of servers are now virtualized, on pace to reach 80M virtual machines by 2014. With the virtual server installed base growing at this rate, a traditional security strategy based on physical assets is being stretched irreversibly.

As virtualization becomes more deeply embedded, datacenter density is increasing and the days of an application being tied to a single piece of hardware are long gone. Furthermore, as the datacenter network inexorably moves towards 10GbE access layer and 40/100GbE cores, physical firewalls/security will not be able to keep up. Here is an insightful note from Jon Oltsik:

Add the emergence of hybrid clouds to today’s IT landscape and one can see the need for a wider and more complete approach to security.

The best way to manage the scale of virtualization, consolidation and high performance networking, the emergence of hybrid clouds and the requirements of new applications is through the establishment of logical trust zones for all applications and data. This approach untethers application deployment from the constraints of physical network segmentation and clustering, moving firewalls into the virtual plane and enabling linear scale out access control. Logical infrastructure isolation and access control is the most efficient way to manage security in a highly virtualized environment.

How do we access the assets?

The trends around BYOD (Bring Your Own Device), any device anywhere, multiple personas and web-centric computing are contributing to an essential crumbling of the traditional security perimeter. Users will ultimately abandon traditional static, physically limiting access to their applications and data.

Access to apps/data in the new world will focus more on the authenticity of the persona (versus the device), and the establishment of dynamic authorization directives (e.g. OAuth2, identity-aware firewalls). Likewise, on the datacenter side of the equation, the landing spot for access will extend the traditional physical DMZ and include logical, tenant-specific DMZs fronting logical apps (e.g. 3 tier apps, VDI pools). Apps/data fronted by such virtual DMZs with policies to restrict access based on authenticated and authorized personas will become the norm in the emerging world order.

In short, a new security architecture has emerged to support virtualized IT infrastructure and user behavior around access to IT assets. Fundamental to this new architecture are:

"Need to know" access based on authenticated & authorized personas

Logical trust zones for apps, and data privacy

Logical infrastructure isolation and access control

Virtual DMZ to buffer access from any device anywhere

Each vApp (collection of related apps, servers and data) gets its own secure container, including a virtualized DMZ to restrict access. Once this proactive security architecture is in place, traditional threat defense like AV, IDS/IPS, DLP, etc, can be virtualized, inserted and enforced at such logical trust zone boundaries.

One can observe overall that security is moving closer to IT assets and becoming logical, vs. the traditional physical approach. To a large extent, there seems to be a parallel with what's going on with the virtualization of networking, per my last posts on logical networks and VXLANs. This transformation leads to better security than was possible before…and the change is taking place right now.

Steve Herrod, VMware CTO, will discuss these trends and requirements in his Cloud Security Alliance keynote on Monday, February 27th at 12:30PM.

Phew, nothing like spending time at VMworld, which has become the new mecca for IT professionals everywhere - thanks again to everyone for the support and encouragement, egging us to keep on truckin'!

In my last post, I talked about the need to have logical networks, edges and trust zones on a per tenant basis, and the need to map these onto provider networks that are increasingly becoming fast, fat and flat. At VMworld 2011, we announced some key advancements that make these concepts a reality; VMware and partner booths demonstrated a variety of Software Defined Networking solutions, leveraging VXLANs, vCloud Director, vShield and vSphere/vCenter, all part of the emerging Cloud Infrastructure Suite – we are getting closer to what Paul Maritz refers to as the “invisible infrastructure”…

One of the bigger announcements made at VMworld, was the VXLAN initiative. See Steve’s post on the subject, and this writeup from Mallik Mahalingham, Principal Engineer at VMware, who has spearheaded this effort at VMware.

From a wire-protocol perspective, VXLAN is essentially a MAC-in-UDP frame format, including a 24 bit segment Id. Effectively UDP gets you to the right ESX host/controller, the segment Id gets you to the respective Org/Tenant, and the “inner” MAC gets you to the right vNIC/VM in the Org. Additionally, tenant broadcasts are converted to IP multicasts (Protocol Independent Multicast – PIM).

VMware has been collaborating with Arista, Broadcom, Brocade, Cisco, Emulex, Intel and several industry players to work towards standardizing this protocol. With the broad collaboration, expect to see VXLANs become the currency for multi-tenant data center networking (enabling multi-tenant data center fabrics), with NIC vendors providing native offload/acceleration of VXLAN frames, Top of Rack and switch/router vendors providing fast, fat and flat implementations of the protocol, and vendors building VXLAN-VLAN gateways to enable high performance, mixed environments.

What’s nice about VXLANs is that it leverages existing infrastructure, yet can take advantage of advances in data center fabric and server NIC technologies as these become available. However, the really big deal here is that the broad (virtualization, system/NIC, and networking vendors) convergence on the frame format, enables the industry to move on, and focus on innovation in the data center fabric, within the virtualization layer, and in delivering capabilities to cloud tenants/orgs.

Building logical networks on the VXLAN foundation

So, on the infrastructure provider side of the equation, VXLANs provide us the capability to realize isolated, multi-tenant broadcast domains across data center fabrics. Let’s talk about how VMware and partners leverage this capability in emerging provider networks to provide elastic, logical networks to tenant/org VDCs.

The Virtual Distributed Switch abstracts the data center fabric and provides a sea of ports. vCloud Director (VCD) creates an Org Virtual Data Center (VDC), including allocating compute and storage resources. Tenants/orgs can now provision their own logical network to connect these resources. VCD delegates networking/security control to the vShield Manager, which in turn creates a VDS port group backed by a VXLAN, maps the tenant id to the VXLAN segment id, and connects org VMs to the respective ports in the port group. Additionally, vShield Edge provides multicast services, and maps tenant broadcasts into provider multicasts (using PIM). We now have VXLAN backed logical networks, which are elastic (add/delete vNics/ports on an as-needed basis).

With networking constraints out of the way, VDCs can now span cluster, pod and subnet boundaries, removing one of the major limitations in the data center. The concept of elastic VDCs was an important part of the newly released vCloud Director 1.5.

Two very cool options, which highlight the power of the VXLAN construct and logical networking:

With VXLAN-VLAN gateways, you can have VMs and physical servers share the same broadcast domain!

Towards secure, elastic hybrid clouds

The elastic VDC constructed above can likewise be instantiated in cloud infrastructure hosted by a VMware Cloud Provider partner. vShield Edge can be used to instantly provision a secure, L3 tunnel to the remote VDC. VMs can now be moved between the local VXLAN and remote VXLAN as needed.

What about securing these VDCs, whether local or remote? This is where the rest of the vShield portfolio, and our ecosystem partners come into play. The following is a depiction of the different elements of the solution:

It was very gratifying to see Los Alamos National Laboratory (LANL) talk through how they had deployed ALL of the above. Last year LANL was the first government agency to deploy their Infrastructure on Demand (IoD) service leveraging vCloud Director for self-service consumption, and vShield App for micro-segmentation of their VDCs. Leading up to VMworld, they leveraged VXLANs and vShield Edge to extend to a data center hosted at Terremark, building one of the first government hybrid clouds based on the VMware Cloud Infrastructure Suite. Kudos to Anil Karmel (Cloud and Virtualization Architect) and team for standing up these powerful environments.

While vShield Edge, App and Endpoint provide foundational protection and zoning at the perimeter, interior, and VM boundaries respectively, we are working very closely with the networking and security ecosystem (we already have working solutions with Cisco, Trend Micro, and RSA for example, with many more to come) to insert purpose-built functionality at logical boundaries, while seamlessly integrating into the management plane via vShield Manager, which in turn enables these services to be available RESTfully. The combination of logical networking and security, with integrated ecosystem offerings and programmable services, should provide the much needed advancement to support virtualization and cloud needs.

SUMMARY:

We are seeing a massive transformation in the way networking and security is being re-architected in modern virtualization/cloud data centers. Logical networks, edges and zones abstract the underlying infrastructure, and untether higher layers from the need to be infrastructure aware. The virtualization layer serves to overcome the impedance mismatch between the provider and consumer, potentially unleashing a whole new wave of innovation – secure, elastic VDCs become the new currency for private and hybrid clouds.

…VMware's vision is spot on. Networks are cool and all but ultimately they exist to move data and application bits around. VXLAN is a new way to make sure that applications and networks can do this in a more integrated and efficient way.

Cloud computing holds the promise of using shared resources in a secure, scalable and self service manner. These basic virtues of cloud computing are placing huge demands on the physical network infrastructure in today’s data centers. While compute and storage are virtualized, network is the last remaining barrier to workload agility. Networks continue to operate in the old way, tying workloads to underlying physical network and to non-scalable, hard-to-automate constructs. In addition, cloud infrastructure dictates new networking constructs for multi-tenancy, application isolation, scale and increased programmability.

VMware has been working with customers to understand the key challenges as it relates to networking and the cloud. The primary feedback was the need for a network that can support hosting large number of "tenant" applications while enabling the paradigm of elastic compute, any application to any host. Ideally customers would like this scale, elasticity and operational efficiency on top of their existing physical infrastructure.

Eureka! - VXLAN

Armed with the requirements from our customer, VMware along with the support of our partner ecosystem has developed an innovative technology called VXLAN [Virtual eXtensible LAN]. VXLAN enables multi-tenant networks at scale alongside the ability to flexibly tap into any available compute/storage resources in the data center. It is the first step in the path towards logical, software-based networks that can be created on-demand, enabling enterprises to leverage capacity wherever it’s available.

VXLAN provides a Layer 2 abstraction to virtual machines (VMs), independent of where they are located. It completely untethers the VMs from physical networks by allowing VMs to communicate with each other using a transparent overlay scheme over physical networks that could span Layer 3 boundaries. Since VMs are completely unaware of the physical networks constraints and only see the virtual Layer 2-adjacency, the fundamental properties of virtualization such as mobility and portability are extended to an unprecedented level.

VXLAN enables better programmability by providing a single interface to authoritatively program the logical network. Operationally, it will provide the needed control and visibility to the network admin while allowing the flexibility of elastic compute for the cloud admin.

Key technical points about VXLAN:

Uses MAC-in-UDP encapsulation to build the overlay network that can span across L3 networks.

Use of MAC-in-UDP allows efficient load-sharing with the existing data center networks due to the use of Equal Cost Multipathing (ECMP) in the core networks, unlike other encapsulation technologies such as GRE

Takes advantage of efficient multicast protocols such as IGMP and PIM for VM’s broadcast and multicast communication needs

Collaboration with leading Partners on VXLAN

VMware has collaborated closely with our industry partners such as Arista, Broadcom, Brocade, Cisco, Emulex, Intel and others in making this as industry wide effort to ensure a seamless experience across virtual and physical infrastructure. As part of this effort, we have published an informational IETF draft (see http://www.ietf.org/id/draft-mahalingam-dutt-dcops-vxlan-00.txt) to detail the use case and the technology.

Key takeaway

VXLAN is the first and the flagship of a set of capabilities that we are building to deliver this new model of cloud centric networking. At VMware, we see a need to evolve the datacenter network of today from a Non scalable, hard-to-automate to a Dynamic, Workload-aware network.

Stay tuned for the update on the next blog post where we will discuss the broader story articulating the dynamic, elastic, workload-aware network built on the foundation of VXLAN.

In my last post, I hinted about the changes happening in the data center, especially with respect to networking and security architectures and deployments. To say that there are transformational changes going on in the industry in this area, is an understatement - the premier networking event Interop goes live this week in Las Vegas, and will showcase some of these trends. One of sessions of interest is hosted by the recently formed Open Networking Foundation, which will also hold an informational session Wednesday, May 11th at 11 - 11:45 to highlight the ONF vision and the future of Software Defined Networking (SDN).

The rampant adoption of server virtualization and consolidation, the emergence of server hosted desktops, along with growing interest in private and hybrid clouds, is highlighting the shortcomings of current networking & security architectures.

Following representation is a simplified view of existing data center networking architectures:

Virtualized servers are connected to virtual switches (1), which are connected to Top of Rack (ToR) physical switches (2). ToR switches are cabled into the core network (3). Traffic enters/leaves the data center via edge routers (4). Additional core network services like firewalls and IDS/IPS devices are implemented in End of Row (EoR) configurations (5). This results in efficient cabling and good network designs.

Typically, hosts are segregated into VLAN/subnets, and VMs are restricted to deployment within hosts in their respective "silos". First level security is achieved by hair-pinning traffic out of the VLAN and to the firewall/IPS service nodes.

This architecture worked well when servers were physical/static, with most of the traffic being “North-South” i.e. client-server traffic. With the virtualization of servers, server consolidation is accelerating, and the amount of North-South traffic has exploded. But more challenging to the architecture, is the fact that the new workloads are provisioned/de-provisioned more rapidly, there is more mobility of workloads across the hosts, and there is lot more “East-West” traffic driven by control traffic (e.g. vMotion, DRS, HBR) and access to shared services like storage and backup. When we begin to add notions of multi-tenancy and scale requirements to this new dynamic, fluid NS+EW mesh, the architecture really begins to show its age.

Some of the issues are:

Host-centric physical and static segmentation based on VLANs/subnets, curtailing the ability for VI admins to have more flexibility in consolidating VMs across hosts.

In summary, the rigidity and static nature of current network architectures stand in the way of the agility, flexibility and dynamic requirements of modern workloads. Network re-mapping becomes an ongoing, onerous task.

A better approach is needed, one which separates the consumption of these network constructs from the underlying physical network. We need to un-tether VMs from the underlying physical network, much as we un-tethered OSes from the server hardware. The approach is in line with comments made in an earlier post.

From a tenant or org or app owner perspective, we need to abstract and simplify the underlying network/security architecture, and present consumable constructs such as logical networks, edges and zones, as shown below.

Specifically, the requirements are simply stated as:

• VM workloads need to be optimally placed (manually or automagically) across the host cluster, untethered from the underlying network segmentation.

• Each vApp (logical collection of VMs) is given its own logical network(s); each logical network represents an isolated L2 broadcast domain. “A” above represents this “vApp” scenario.

• Furthermore, each tenant can further opt to partition its workspace into Trust Zones, with associated security policies. “C” above captures this scenario. Note such Trust Zones could either mirror virtual abstractions like VDCs, vApps, and PortGroups, or be fungibly abstracted based on identities, sensitive data, or administrative span of control concerns, for example.

In order to realize such a logical representation of networks, edges and zones, we need to work together across the industry (network/security/NIC vendors, virtualization providers, cloud admins) on the provider side of the equation. Let’s touch on the key areas undergoing change:

The Virtual Distributed Switch (VDS) needs to provide a homogenized “sea of ports” across the cluster of hosts; these can be grouped into “port groups”. These “port groups” are allocated on demand to each vApp, and presented as “logical networks”. Port Groups are ideally backed by isolated L2 broadcast domains, that span subnets, and operate in a tenant-specific namespace. There is room for innovation in delivering such “multi-tenant, L2 overlays”.

The Access tier, typically represented by Top of Rack switches, maps the logical “sea of ports” into the physical network infrastructure. Top of Rack switches are fast evolving to support higher bandwidth, lower latency, greater port density, convergence (FCoE), and ingress port to egress port one-hop routing. We can continue to see tighter linkages between the virtual switches and physical NICs above, and the network fabric below. For example, support for multi-tenancy and programmable elasticity:

Multi-tenancy refers to the need to have separate addressing namespaces for each tenant, to avoid MAC/IP/broadcast overlapping.

Programmable elasticity refers to the need to control creation of logical networks, and add/delete ports on demand.

To be able to meet the demands of such dynamic, fluid virtualized environments, where logical networks are allocated on demand, the network fabric continues to become “Fast, Fat and Flat”

Fast meaning the ongoing trend from 1Gbps to 10Gbps and more, to support the increased north-south and east-west traffic explosion.

Flat refers to the emerging trend of moving from 3-tier networks (Core/Aggregation/Access), to 2-tier (Spine/Leaf), or even 1-tier. Driven by low latency & simplified fabrics.

Note that the distinction between the Access tier and the Core/Aggregation tier is beginning to blur, so we can ultimately consider items 2 & 3 as a collective network fabric requirement.

The WAN Edge tier itself needs to get virtualized to support logical edges, available to each tenant/org on demand. Key drivers are the scale out (versus scale up) architecture, the ability to have customizable (even self-service eventually) edge services on a pay-as-you-go basis, and the ability to provision such services on demand e.g. edge firewalls, VPNs or Load Balancers. Note that some capabilities e.g. DDOS detection & protection are better left at the physical edge as a first line of defense, and where cross-tenant context is useful.

Likewise, current service node architectures in the data center need to get logical. Today, firewalls, IDS/IPS, email spam filters, NAC devices, etc, are implemented as service nodes sitting in a “End of Row” configuration, with traffic steered to such a node via “hair pinning” i.e. traffic is forced to leave the VLAN, and steered towards the service node, where several functions are chained. With increased server consolidation, increased east-west traffic, logical networks, multi-tenancy, etc, such devices become potential choke points, we have firewall rule explosion, and VLAN depletion. There are already examples of such purpose-built services getting virtualized, and logically inserted into the virtual plane on a per-tenant basis.

SUMMARY:

We are entering a new phase of data center networking, driven by the needs of modern virtualized/cloud workloads. We need to transition from an era of static, host-centric, IP-centric, pre-segmented networks, to a modern, efficient programmable network fabric, that provides dynamically allocatable logical abstractions to the new workloads. An era that leverages:

The leading conference for security professionals is almost upon us. The RSA Conference 2011 will bring together the security technoratti at the Moscone Center in San Francisco this week.

This is always a good time to take stock of the major advances and shifts in focus in the security world, since the last such conference. In my last post, I talked about the major security transactions in 2010. Major topics at RSA 2011 include:- Trust-based security- Public sector partnering with private enterprise to address cybersecurity- Secure/compliant clouds

Art Coviello, RSA Chairman, will kick things off with a keynote on "Trust in the Cloud". Organizations worldwide have high hopes for the cloud. Hope in its potential to transform IT infrastructures, applications, and information management and in its ability to revolutionize business. But before we can trust that the cloud is safe for real business, we need a secure foundation of dynamic controls and trustworthy measurement.

Our very own Richard McAniff, Chief Development Officer & Co-president, VMware, will join Art and have a dialog on some of the advances and innovations towards a trusted cloud. Do make it a priority to tune in!

There is a significant public sector presence at the Conference. Deputy Secretary of Defense William Lynn III will discuss the Pentagon's Cyber strategy. James Lewis hosts the Cyberwar, Cybersecurity, and the Challenges Ahead panel of heavy hitters in the area. At the Cloud Security Alliance summit, Federal CIO Vivek Kundra will be unveiling new Cloud initiatives to a sold out session. I'm hoping I can make it in time for the announcement - I am across the street on a Virtualization and Cloud Security panel at AGC's 7th Annual West Coast Emerging Growth Conference along with Simon Crosby (CTO, Citrix), Eric Chiu (CEO, HyTrust), John McEleney (CEO, CloudSwitch), John Rowell (CTO, OpSource). Moderated by AGC partner, Scott Card.

VMware has a few partners making announcements at the conference. Do stop by the VMware booth for additional information. Also, you can follow along on twitter @VMware and @VMwareEvents.

While the security industry was buzzing about clouds last year, the last few months has seen a shift from hype, to getting down to the nuts and bolts of standing up such clouds. We at VMware have prioritized the journey to cloud computing, via an evolutionary blue print that focuses on hybrid cloud standup. Steve has outlined this plan here. As we move from Power Points to actual standup, it is clear that this requires an industry wide collaborative effort, involving technology vendors, forward looking customers, and service providers.

Following is a prescriptive representation of hybrid vClouds, where enterprises have self-service access via a secure VPN connection to "their" corporate bubble, hosted on a shared cloud infrastructure, provided by our certified cloud partners. Primary use cases are around the notion of interoperable workloads (VMs) between the private data center and the remote virtual data centers, in line with some of the discussions I had posted earlier. Hybrid clouds begin to come to life.

As we begin to deploy such hybrid clouds, we need to tackle several issues, even in the infrastructure layer, let alone higher level PaaS and application stacks. For example, networking topologies and architectures start to come into play. It is one thing to create air-gapped silos in enterprises, where network segmentation via VLAN/subnet delineation and hair-pinned firewalls, realize separate zones of trust. The holy grail of public cloud infrastructure is creation of banks of compute and storage resources on a fast converged fabric interconnect, and then being able to instantly allocate secure, elastic VDCs for enterprises to place their VM collections into. In this environment, there is a need for a programmable fabric, wherein trust zones are fungibly constructed around VM/storage collections, regardless of underlying network topology.

Easier said than done.

There are some exciting developments and initiatives underway here. I'll be blogging about this cloud/network/security interlock a lot more in coming months!

In the meantime, wishing you all a great RSA Conference 2011, and looking forward to meeting you at one of the many events.

This represents a lot of activity, with a significant amount of money (around $12 billion) changing hands.

At the RSA conference, security for virtualized infrastructure topped the category list of security innovation at this year’s RSA 2010 Innovation Sandbox competition, including Altor, Catbird and HyTrust. At Vmworld, VMware launched a comprehensive vShield suite for virtualization/cloud security, and announced partnerships with Cisco, Intel, McAfee, RSA, Symantec and Trend Micro. Also at VMworld, Cisco executives introduced the Cisco Virtual Security Gateway (VSG) for Nexus 1000V.

Federal CIO Vivek Kundra unveiled a 25 point implementation plan, calling for data center consolidation, a "cloud first" policy, and secure IaaS; clearly, the federal government is committed to working in parallel with private enterprise. The wikileaks incident is a reminder of the need for focus and attention in these areas - it is also a harbinger of things to come in the upcoming "cloud without borders" world; does perimeter defense suffice, how do we arbitrate and police data privacy, what constitutes effective remediation and who controls jurisdiction? Sound familiar?

In this land grab phase, the role of security is clearly manifest. With security/privacy concerns a top of mind issue in the journey to these new data center architectures and cloud consumption models, there is growing consensus on the need to "build in" versus "bolt on" security into such converged/managed stacks.

So, if we use the 2010 rearview mirror as a guide to the 2011 windshield, we can expect to see a continuation of these trends. Security and network virtualization/consolidation/cloudification, and security management/orchestration/compliance will continue to be areas of investment across the industry.

While server virtualization has gone mainstream, and set the table for private cloud infrastructure, another distinct and significant trend is poised to follow in its footsteps – Virtual Desktop Infrastructure (VDI), also referred to as Hosted Virtual Desktops (HVD) by Gartner. VDI or HVD refers to the use of desktop VMs hosted in the data center (much like virtual servers), that users remotely connect into.

Recently VMware released View 4.5, which has significantly reduced the entry barrier for product adoption, gaining several kudos in the process. For example:

One feature in particular, that security professionals ought to pay attention to, is the “Local Mode” feature in View 4.5. Local Model essentially enables disconnected desktop operation, making it possible for employees to take their work on the road while still enabling IT to have control over the desktop configuration. While remaining tethered to the corporate network in the typical online VDI mode, the authenticated employee now has the option to checkout their respective desktop image, and run it on their PC e.g. on a business trip, airline, etc. When back on the corporate network, the image can be checked back in. Simple concept – powerful ramifications.

Desktop security has always been a big challenge for IT. 2009 saw more malware attacks on the PC than

in all prior years combined. It is not uncommon for enterprises to support more that 10,000 far flung desktops, in some cases 100,000+ desktops. Some studies peg the ongoing annual maintenance/cost for an existing PC to be in the neighborhood of $4000! A significant portion of this is related to security concerns, including patch updates, A/V updates, etc.

VDI helps lessen security risk, by consolidating desktop images in a trusted/centralized data center, where image management, patch updates, up-to-date A/V, scheduled A/V scans, data loss prevention policies and site blacklisting can be centrally managed. The challenge with VDI has been the lack of flexibility & mobility because of the “always tethered to data center” requirement. The Local Mode feature of View 4.5 addresses this issue. Let’s look at the implication from a security and compliance perspective.

While on the corporate network, authenticated users remotely access their "personalized" corporate desktop, which has been setup by IT (latest images including security software), and which is subject to scheduled anti-virus scans, and on-access scans when the user opens a file, for example.

Authenticated user checks out the image in preparation for “Local Mode” operation. This could serve as an important trigger for security/compliance policy checks i.e. check for sensitive data, and up-to-date A/V software.

The image is now run on the user’s local desktop/laptop. The underlying OS cannot be assumed to be secure or trusted e.g. internet usage away from the corporate environs could well result in compromised guests. Isolating corporate bubbles from underlying untrusted OSes is an area for innovation.

When the user is ready to get back on the corporate network, the check in process is another trigger for security/compliance policy checks e.g. image veracity and anit-virus scans.

"On Check-Out" and "On Check-In" scans are added to the repertoire of tools usable by security and compliance professionals. We expect that VDI with Local Mode gives security and compliance professionals the ability to better control the ongoing battle against malware and compromise.

I'm just back from VMworld, Copenhagen, and a trip to our development center in India. VMworld Europe turned out to be as invigorating as the one in San Francisco. The setting was more intimate. My favorite session was the CTO get together hosted by Steve Herrod, where we had a chance to catch up with vExperts, bloggers and virtualization gurus from around the world, and engage in some invigorating conversations.

On my way from Copenhagen to Mumbai, sitting at the airport in Istanbul, I got a chance to catch up with my inbox. One note in particular resonated with me: a research paper published by Neil MacDonald and Thomas

The virtualization of data centers lays the foundation for building private clouds. Just as security infrastructure needed to evolve to secure virtualized environments, it needs to evolve further to support private clouds.

Neil has been involved with virtualization security since its inception, and the insights provided here will help frame the dialog on how enterprises tackle the issue of securing virtualized infrastructure on the way to deploying private clouds.

Some of the areas touched upon:

The need to virtualize security controls to prepare for private clouds

I spent the early part of the week at the inspiring St. Regis in Southern California for the annual InfoWeek 500, a gathering for CIOs from leading global companies. These events are a great forum for CIOs and industry leaders to share experiences in the rollout of major technology initiatives. Not surprisingly, some of the biggest areas of focus were on clouds, virtualization and SaaS.

First up for me was the VMware round table with around 50 CIOs – Security and Compliance in Private and Public clouds. We had a very interactive session discussing the interplay between virtualization and cloud computing, public v. private v. hybrid clouds, and the security and privacy concerns in each scenario, with different folks sharing where they were in their adoption. Some takeaways:

Virtualization is about cost-effective, efficient, elastic PRODUCTION of cloud services; once virtualized, resources are available on demand.

It seems like cloud adoption starts with Private Clouds, where security and compliance is a continuation of current best practices. Most enterprises seem to be “data huggers” i.e. they are not about to move sensitive data out of sight, let alone to some cloud somewhere. Retaining control of their assets, privacy of their sensitive information, security of their assets, yet gaining experience with satisfying the immediate gratification appetite of their demanding lines of business are some of the key drivers for private clouds.

At the general session, Eli Lilly shared their experience with clouds – one of the first enterprises to publicly do so. After spending a couple of years virtualizing their data centers to obviate the need for additional data centers, they decided to embark on taking their “discovery” app, which leverages community databases, with high compute needs to the public cloud. This seems to be a great use case for public clouds: not-so-sensitive/ public data, transient workloads, with peak compute requirements far exceeding in-house capacity.

Their success here is leading them to examine hybrid clouds – to deal with workloads that are not cost effectively satisfied with in-house capacity, but are important enough to merit coming back in house further down

the road. Some insightful quips – “we are less worried about vendor lock in, than time to value; … and interoperability with our in-house, (virtualized) data centers is a key requirement”. Here security issues are manifest.

After talking with many interesting and experienced CIOs this week, my overall sense is that virtualization has definitely become the accepted data center architecture with lots of interest in evolving these to private clouds. There is some grass roots experimentation with public clouds for “long tail” apps (with low data privacy requirements), with great interest in hybrid clouds that are somewhat compatible/interoperable with private clouds, yet secure, to give enterprises maximum flexibility.

To address the top of mind security/privacy/compliance needs in hybrid clouds, I had several discussions regarding virtualization of security in private clouds first (per my earlier note), thereby proactively preparing for the (inevitable!) co-existence with hybrid clouds. Secure private clouds pave the way, and if virtualization history has taught us anything, the sooner we embrace these architectures the less friction down the road.

To sum it up, one important question that was posed: “Is Cloud Computing a vendor push, or does it satisfy an enterprise need?” Early work in adopting private, hybrid and public clouds seems to suggest it is the latter – removing some of the early control, privacy, security concerns greases the tracks. And lest we forget, one of the panelists summed it up so well – “At the end of the day, it is not about IaaS, PaaS, SaaS, etc, it is about Outcomes as a Service” i.e. are these technologies enabling us to drive desired business outcomes sooner?